The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Cyber Leadership

  • From Vol. 4 No.41 (Dec. 5, 2018)

    Insights From Uber: Building Bridges Between Legal and Engineering

    While lawyers and engineers often speak different languages, a productive working relationship is crucial when it comes to building effective privacy tools. Just last week Uber was fined a combined $1.17 million by British and Dutch authorities for its 2016 data breach that exposed the personal details of millions of customers. Since that breach, and prior to it as well, Uber’s privacy engineering and legal teams have been working together to build multiple tools for their privacy platform. Both teams spoke to The Cybersecurity Law Report about the program and how they partnered on these projects. In this second article of our two-part series on our conversation with Uber, we cover insights provided by these professionals about how to build bridges between engineering and legal teams, even in the absence of a shared vocabulary. The first installment looked at how Uber’s privacy team is structured, how it created and implemented its differential privacy tool, including how the tool helps with GDPR compliance. See also “How Cyber Stakeholders Can Speak the Same Language (Part One of Two),” (Jul. 20, 2016); Part Two (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 4 No.40 (Nov. 28, 2018)

    Insights From Uber: An Inside Look at Its Privacy Team Structure and How Legal and Tech Collaborated on Its Differential Privacy Tool

    Technical and non-technical teams often lack a shared vocabulary, making collaboration difficult. There are, however, ways to surmount this hurdle and engage in a productive working relationship through which effective privacy tools can be built. The privacy engineering and legal teams at Uber did just that in building their privacy platform. The Cybersecurity Law Report spoke to them about how they worked together to accomplish this. In this first installment of our two-part article series on legal and engineering collaboration at Uber, we look at how the company structures its privacy team and how it created and implemented its differential privacy tool, including how the tool helps with GDPR compliance. Part two will offer insight from both teams about how to build bridges between the engineering and legal professionals. See also “How Cyber Stakeholders Can Speak the Same Language (Part One of Two),” (Jul. 20, 2016); Part Two (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 4 No.38 (Nov. 14, 2018)

    How Privacy Professionals Can Benefit Cybersecurity Programs: Practical Tips From Gap and Privacy Panacea

    Privacy and security go hand in hand but, without a technical background, privacy professionals may feel unprepared to work with and provide oversight to security teams. To help overcome that hurdle, the associate general counsel of Gap Inc., and the president of Privacy Panacea, a boutique privacy advising firm, shared candid and practical tips on overseeing a cybersecurity program for non-technical privacy professionals at IAPP’s Privacy. Security. Risk. 2018 conference. For attorneys in the privacy space, “security has become much more of a legal issue,” Gap’s associate general counsel Dan Koslofsky said. See also “Tech Meets Legal Spotlight: Advice on Working With Information Security” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 4 No.37 (Nov. 7, 2018)

    How GoDaddy Built an Effective Privacy Program

    Every company needs to customize its privacy approach and program, but insights from others’ successful experiences can help provide benchmarks, inspiration and best practices. At IAPP’s recent Privacy.Security.Risk conference, GoDaddy, the world’s largest internet domain name registrar, explained how it made its privacy program effective. GoDaddy’s chief privacy and risk officer Todd Redfoot was joined by assistant general counsel Serena Lai and director of technology risk management Leticia Webb. The team described how they built and implemented a broad and comprehensive program, tackled GDPR requirements and took innovative steps such as incorporating technologies to automate privacy compliance. See also “Building a Customer Privacy Program: Lessons from Dupont’s Privacy Leaders” (May 9, 2018).

    Read Full Article …
  • From Vol. 4 No.36 (Oct. 31, 2018)

    IAPP-EY Annual Report Finds GDPR Compliance Strides and DPO Explosion

    Privacy programs have expanded in size and budget over the past year, the recently released IAPP-EY Annual Privacy Governance Report 2018 found. This expansion was due in large part to the GDPR, even though more than 50% of survey respondents reported they were not yet fully compliant and one in five stated they will never be GDPR compliant. While many companies have appointed DPOs, certain GDPR provisions have proved particularly challenging. Rita Heimes, IAPP research director and DPO, discussed some of these findings and provided additional survey insights to The Cybersecurity Law Report. See also “EY Global Data Analytics Survey Finds Lack of GDPR Preparedness and Need for Cross-Functional Collaboration” (Mar. 28, 2018).

    Read Full Article …
  • From Vol. 4 No.33 (Oct. 10, 2018)

    Fifteen Tips for an Effective Cybersecurity Board Presentation

    Boards are becoming more engaged with cybersecurity issues as the risks have become more visible and the potential for director liability has risen. Directors want to be informed and are asking more detailed questions. For those providing the answers, an effective presentation is critical to obtain buy-in and budget in line with the company’s risk profile and tolerance. In addition, board presentations can be an opportunity to present cybersecurity efforts not as simply costing money, but also as creating business advantages. The Cybersecurity Law Report has compiled the following list to help with this task. See also “A CSO/GC Advises on How and When to Present Cybersecurity to the Board” (Feb. 22, 2017); and “How to Handle Rising Expectations for Board Cyber Education and Involvement” (Mar. 14, 2018).

    Read Full Article …
  • From Vol. 4 No.30 (Sep. 19, 2018)

    Evolving Roles of Privacy and Security Professionals: Operationalizing Policies, Incident Response and Vendor Management

    Clear policies and effective collaboration go a long way toward improving security and privacy efforts across an enterprise. In this three-part series, current and former privacy and security leaders share their insights on how the CPO and CISO can effectuate these practices and protect their organizations. This final installment covers policy ownership and ideal implementation, and includes advice on effective collaboration when preparing for and responding to incidents and when assessing and contracting with third parties. Part two discussed effective governance, including reporting structure and the relationship with the board. Part one addressed how the skills necessary for each function have changed, how to combat ongoing challenges and whether companies should consider a convergence of the roles.

    Read Full Article …
  • From Vol. 4 No.29 (Sep. 12, 2018)

    Evolving Roles of Privacy and Security Professionals: Effective Governance and Board Reporting

    Not only are the roles of the CISO and CPO changing, but so are their relationships within the organization. Many CISOs who used to report to the CIO now report to other functions and, along with the CPO, have a direct or dotted line to the board. In this three-part series, we speak to current and former privacy and security leaders at Citi, AvePoint, Hunton and national retailers about these positions and their integral, and sometimes overlapping, roles in protecting an organization. This second installation discusses effective governance, including reporting structure and the relationship with the board. The final part will cover ideal policy ownership, and will include advice on effective collaboration when preparing for and responding to incidents and when assessing and contracting with third parties. Part one addressed how the skills necessary for each function have changed, how to combat ongoing challenges and whether companies should consider a convergence of the roles. See also “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)” (Dec. 14, 2016); Part Two (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 4 No.25 (Aug. 15, 2018)

    How to Build a Cybersecurity Culture Using People, Processes and Technology

    While organizations strive to have strong security technology and effective cybersecurity policies, ultimately, one of the most powerful ways to protect themselves is to create a culture of security. The Cybersecurity Law Report spoke with Pamela Passman, president and CEO of Center for Responsible Enterprise And Trade (CREATe.org) about why creating a culture of cybersecurity from the break room to the boardroom is essential, and how to accomplish that. “Culture matters because it affects the company’s ability to function and get worth out of its innovations,” said Passman. See also “Privacy Leaders Share Key Considerations for Incorporating a Privacy Policy in the Corporate Culture” (Oct. 19, 2016).

    Read Full Article …
  • From Vol. 4 No.16 (Jun. 13, 2018)

    What Lawyers Need to Know About Security Technologies and Techniques (Part Three of Three)

    The legal team is a crucial part of a company’s cybersecurity program and it is essential for members of that team to understand security technologies and how they are used to mitigate data breach risk. This final installment in our three-part series, featuring advice from legal and technical experts, covers how and when common types of cloud solutions are used and the attorney’s role in mitigating risk in connection with this service. It also addresses what to consider when “hacking back” to secure data. Part one explored the appropriate knowledge base for the different attorney roles, technology’s place in mitigating risk, and certain technologies and techniques, such as pen testing. Part two continued examining other security techniques, including red teaming, vulnerability scanning and social engineering. See also “Negotiating an Effective Cloud Service Agreement” (Sep. 13, 2017).

    Read Full Article …
  • From Vol. 4 No.7 (Apr. 11, 2018)

    When and How Legal and Information Security Should Engage on Cyber Strategy: Assessments and Incident Response (Part Two of Three)

    As regulators increasingly blend privacy and security issues, privacy officers and CISOs need to interact frequently to develop a healthy relationship for effective protection of key data. Our three-part series offers legal and technical expert advice on when and how these professionals should be communicating to build a strong working relationship for robust cybersecurity and data privacy programs. This second part examines how both teams can coordinate on incident response and for risk and privacy impact assessments. Part one covered how to structure corporate governance for optimal collaboration between these two groups. Part three will tackle coordination between legal and security on vendor assessments and in the M&A context. See “How Cyber Stakeholders Can Speak the Same Language (Part One of Two),” (Jul. 20, 2016); Part Two (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 4 No.6 (Mar. 28, 2018)

    When and How Legal and Information Security Should Engage on Cyber Strategy: It Starts With Governance (Part One of Three)

    Effective protection of key data requires a healthy relationship and frequent interaction between the legal and security functions. As regulators increasingly blend privacy and security subject matter, privacy officers and CISOs need to work together to stay compliant. This three-part series addresses when and how legal and security professionals should be communicating to build strong working relationships for a robust cybersecurity and data privacy program. Part one covers how to structure corporate governance for optimal collaboration between these two groups. Part two will look at how both teams can come together to assess risk and privacy impact. Part three will tackle coordination between legal and security on vendor assessments and in the M&A context. See “How Cyber Stakeholders Can Speak the Same Language (Part One of Two),” (Jul. 20, 2016); Part Two (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 4 No.2 (Jan. 31, 2018)

    How to Make the Most of Limited Compliance Resources

    Compliance departments are often being asked to do more with less as regulatory demands increase, in part from a rise in cybersecurity and privacy legislation. A recent presentation by ACA Compliance Group, “Planning Your 2018 Compliance Budget,” offered timely insight on how CCOs and compliance personnel can approach the compliance-budgeting process, get buy-in from senior management, avoid common pitfalls and stretch limited resources. The program featured Lee Ann Wilson, an ACA senior principal consultant; Sean McKeveny, an ACA consultant; and Kara J. Brown, counsel at Sidley. See “Managing the Increased Individual Risks and Responsibilities of Compliance Officers” (Jul. 29, 2015).

    Read Full Article …
  • From Vol. 3 No.22 (Nov. 8, 2017)

    IBM Cybersecurity Counsel Offers Techniques for Speaking the Same Language as the C-Suite When Managing Cyber Risk

    Given the grave potential repercussions of data breaches, the C-suite needs to be aware of how the company is managing its cyber risk. Andrew Tannenbaum, chief cybersecurity counsel at IBM Corporation, spoke with The Cybersecurity Law Report about what to discuss with the C-suite during an evaluation of the company’s cyber risk programs. He also offered strategies for setting responsibility at various levels across the organization and for establishing a common language between internal stakeholders to effectively discuss and mitigate these risks. Tannenbaum will be a panelist at ALM’s cyberSecure conference on December 4 and 5, 2017, at the New York Hilton. A discount code for CSLR subscribers is inside this article. See also "How Cyber Stakeholders Can Speak the Same Language (Part One of Two),” (Jul. 20, 2016); Part Two (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.21 (Oct. 25, 2017)

    Advice From Recruiters on How to Attract the Best and Brightest Security and Privacy Leadership

    Demand for experienced and effective data security and privacy leadership is far outpacing supply. The Cybersecurity Law Report spoke to executive recruiters about finding and compensating chief technology officers, chief information security officers and chief privacy officers. In this article, we discuss their advice on defining a search, what skills to look for and their insight on market salaries. “Recruitment of top C-level executives in security, digital risk and privacy is a strategic and competitive undertaking. Globally, organizations are faced with the challenge of assessing and selecting the best and brightest leaders where titles, experience and credentials vary greatly across the cyber-executive landscape,” Tracy Lenzner, CEO of the executive search firm Lenzner Group, told us. See “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)” (Dec. 14, 2016); Part Two (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.20 (Oct. 11, 2017)

    How to Successfully Incorporate the Role of the Chief Technology Officer

    The precise responsibilities of a chief technology officer vary across organizations. With the increasing emphasis on cybersecurity, many organizations are asking CTOs to take on information security responsibilities, regardless of whether they are prepared. Others will be asked to partner with CISOs. Mark Lanterman, founder of Computer Forensic Services, spoke to The Cybersecurity Law Report regarding the shifting role of the CTO, how to make the dynamic role successful, and how CTOs and tech teams can communicate more effectively with legal and compliance teams. See also “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)” (Dec. 14, 2016); Part Two (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    Deloitte Survey Shows Getting Skilled Cybersecurity Talent and Addressing Cyber Threats Among the Top Challenges for Financial Institutions

    Financial institutions anticipate cybersecurity to be one of the top risks they will face over the next two years, according to a Deloitte survey. Exacerbating the challenge is recruiting skilled cybersecurity talent as well as obtaining near-real-time threat intelligence. The survey also found that some organizations have turned to corporate risk officers to assist them, while others have seen increasingly activist boards of directors. We analyze the results of the survey. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 3 No.17 (Aug. 23, 2017)

    Tips From Google, Chase and P&G Privacy Officers on Developing Strong Privacy Leadership and When to Use Outside Counsel

    In-house privacy attorneys are constantly challenged to keep abreast of changing legal and regulatory requirements, obtain and maintain executive support, and work with internal stakeholders and outside counsel in economically viable ways. At a recent PLI event, privacy counsel from Google, JPMorgan Chase and Proctor & Gamble Company offered insight on the challenges that come with their roles, how privacy programs have grown, how they can be managed well despite the speed of change and how in-house lawyers can best work both with outside counsel and internal business teams. See also “Strategies for In-House Counsel Responsible for Privacy and Data Security” (Feb. 22, 2017).

    Read Full Article …
  • From Vol. 3 No.15 (Jul. 26, 2017)

    How the CCO Can Use SEC Guidance to Tackle Cyber Threats 

    Increasing cyber threats and a shifting regulatory landscape have expanded the role of CCOs, who need to ensure proper cyber defenses are in place and regulatory compliance is up-to-date. The CCO must manage a capable team and monitor developments while continuously updating the company’s compliance program and efforts. In this guest article, Alaric Founder and CEO of Alaric Compliance Services Guy Talarico explores changing threat sources, regulatory priorities, best practices with an emphasis on SEC guidance, as well as the information sources a CCO must track to fulfill this critical and dynamic role. See also “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)” (Dec. 14, 2016); Part Two (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.14 (Jul. 12, 2017)

    A Discussion With eHarmony’s GC About the Role of In-House Counsel in Cybersecurity

    The general counsel plays a critical role in a company’s cybersecurity, especially in high-profile events, as the blame the Yahoo GC shouldered in the 2014 breach revealed. The GC must have the necessary authority to ensure the company develops appropriate proactive measures and must be able to take a leadership position after an event has occurred. Ronald Sarian, vice president and general counsel of eHarmony, spoke with The Cybersecurity Law Report about how the GC can obtain and exercise his or her authority, and his own efforts to develop incident response plans, training, communication and escalation protocols. He also discussed how he built a strong relationship with the company’s technical teams, what he learned from the 2012 cyber attack on eHarmony and what in-house counsel can learn from the DLA Piper breach. See also “Strategies for In-House Counsel Responsible for Privacy and Data Security” (Feb. 22, 2017) and “Increasing Role of Counsel Among Operational Shifts Highlighted by Cyber Risk Management Survey” (Nov. 16, 2016).

    Read Full Article …
  • From Vol. 3 No.13 (Jun. 28, 2017)

    Building an Enterprise-Wide Cyber Risk Management Program: Perspectives From the C-Suite (Part Two of Two)

    Even an organization with a highly mature cybersecurity risk-management program needs to keep pace with the changing legal and business landscape, and staying ahead of this challenge starts at the top. Just when the dust had started to settle from the widespread WannaCry attack, the ransomware attack dubbed Petya spread internationally, impacting government and commercial entities, including law firms. Using a hypothetical scenario based on starting a new business line involving financial services, executives from Dell, Amazon, Cybraics and Crowdstrike, playing the roles of the CEO, CISO, CRO and GC, recently offered advice on how to develop an information security risk management program; which key stakeholders are involved in the governance of the program; and how the CISO should interact with the program. In this second installment of our two-part article series, we hear from the chief risk officer on ideas for program revitalization and minimizing risk and from the general counsel on understanding and implementing applicable laws, and all four stakeholders provide practical takeaways. Part one set forth the facts of the simulation, the CEO’s concerns, and the CISO’s response to those concerns, particularly in connection with the resources needed and strategy. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.12 (Jun. 14, 2017)

    Cyber Crisis Communication Plans: What Works and What to Avoid (Part One of Two)

    Every cyber incident does not result in a far-reaching compromise or disclosure of personal or confidential information, but even a small incident can erupt into a major high-profile cyber event depending on whether and how it becomes public. The publicity surrounding these events can render them more serious than just the technical problem itself and raises the stakes on how companies respond. Because of the damaging effects press coverage can have, companies should be prepared with a thorough communications plan that contemplates more than just technical answers, experts told us. This first installment of our two-part series on breach communication plans discusses identifying key stakeholders and their roles, key playbook components and the benefits of advance planning, and offers advice on how to approach internal communications during a cyber crisis event. Part two will cover how to control and coordinate with a third-party vendor, strategies for handling external communications to the media, regulators and other stakeholders, and how to overcome common pitfalls and challenges. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.12 (Jun. 14, 2017)

    Building an Enterprise-Wide Cyber Risk Management Program: Perspectives From the C-Suite (Part One of Two)

    Even an organization with a highly mature cybersecurity risk management program needs to keep pace with the changing legal and business landscape, and staying on top of this challenge starts at the top. Using a hypothetical scenario, executives from Dell, Amazon, Cybraics and Crowdstrike, playing the roles of the CEO, CISO, CRO and GC, offered advice on how to develop an information-security risk-management program; which key stakeholders are involved in governance of the program; and how the CISO should interact with the program. In this first part of a two-part article series, we present the facts of the simulation, the CEO’s concerns, and the CISO’s response to those concerns, particularly in connection with the resources needed and the strategy. In part two, we will hear from the chief risk officer and general counsel on the subject as well as the takeaways of all four stakeholders. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.7 (Apr. 5, 2017)

    A Discussion With Ireland’s Data Protection Commissioner Helen Dixon About GDPR Compliance Strategies (Part Two of Two)

    The E.U.’s General Data Protection Regulation, a sweeping law with harsh fines, is set to take effect in May 2018. Ireland, the European home of many large multinationals, is expected to be at the center of enforcement. We spoke to Helen Dixon, Ireland’s Data Protection Commissioner, about the upcoming changes and how companies can prepare for them. In this second article in our series, she discusses compliance with the non-harmonized areas of the GDPR, the GDPR's enforcement structure, enforcement challenges for the data protection authorities, and answers criticism of the law's penalties. The first article in the series contained her views on the most challenging compliance issues for companies, strategies to get buy-in from the C-suite for compliance resources and successful compliance models she has seen. See also “Getting to Know the DPO and Adapting Corporate Structure to Comply With the GDPR (Part One of Two)” (Jan. 25, 2017); Part Two (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.6 (Mar. 22, 2017)

    A Discussion With Ireland’s Data Protection Commissioner Helen Dixon About GDPR Compliance Strategies (Part One of Two)

    With the effective date of the GDPR fast approaching, Ireland – the site of the European headquarters of tech giants like Apple, Google and Facebook – is at the forefront of data protection and privacy enforcement. Leading the effort is Helen Dixon, Ireland’s Data Protection Commissioner. We spoke to Commissioner Dixon about the “game-changing” nature of the GDPR. This first part of our two-part series includes her views on the most challenging compliance issues for companies, strategies to get buy-in from the C-suite for compliance resources (including the threat of the heavy fines the Commissioner can levy), and successful compliance models she has seen. See also “Getting to Know the DPO and Adapting Corporate Structure to Comply With the GDPR (Part One of Two)” (Jan. 25, 2017); Part Two (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.4 (Feb. 22, 2017)

    A CSO/GC Advises on How and When to Present Cybersecurity to the Board 

    As more boards come to understand cybersecurity as a critical issue that cannot be ignored, briefings on the topic have become more common. Those with the responsibility for presenting such briefings must understand what information is essential for the board to know and how to communicate it effectively. Dr. Chris Pierson, EVP, chief security officer and general counsel for Viewpost, a FinTech payments company, and the former CPO, SVP for the Royal Bank of Scotland’s U.S. banking operations, spoke to The Cybersecurity Law Report about his experiences briefing the board on cybersecurity and shared his insights on the most effective reporting structure, how to obtain buy-in and budget and the importance of communicating business advantage. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.4 (Feb. 22, 2017)

    Strategies for In-House Counsel Responsible for Privacy and Data Security 

    Preparing for, preventing and responding to privacy and data security litigation are crucial aspects of the in-house attorney function. Key responsibilities for the role will often include developing training programs and privacy policies, working with the board, choosing the right outside counsel and effectively coordinating with them during major events. As part of a recent Practising Law Institute conference, a panel of in-house and outside attorneys from Greenberg Traurig, Glassdoor, Inc., Activision Blizzard and Pandora Media, Inc., discussed successful approaches to these tasks, as well as lessons learned from mistakes. See “Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation (Part One of Two)” (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 3 No.3 (Feb. 8, 2017)

    Getting to Know the DPO and How to Adapt Corporate Structure to Comply With GDPR Requirements for the Role (Part Two of Two)

    The GDPR introduces the statutory position of the Data Protection Officer, who will have a key role in ensuring compliance with the regulation. But where and how does the DPO position function within the company? In this second installment in our two-part article series on the role, DPOs and counsel from around the world discuss how the DPO best fits in the corporate structure, and offer considerations for determining whether the role should be fulfilled internally or externally and five steps companies can proactively take to ensure they are prepared to comply with the GDPR’s DPO requirements. Part one examined when appointing a DPO is mandatory, how to select a DPO, and the requisite skillsets and responsibilities of the role, including the difference between the DPO and other privacy compliance roles. See also “Navigating the Early Months of Privacy Shield Certification Amidst Uncertainty” (Nov. 2, 2016).

    Read Full Article …
  • From Vol. 3 No.2 (Jan. 25, 2017)

    Getting to Know the DPO and Adapting Corporate Structure to Comply With the GDPR (Part One of Two)

    Looking toward the GDPR’s May 25, 2018 implementation date, many organizations preparing for compliance are focused on the DPO role. While the position is not novel, the GDPR introduces new requirements. We spoke with experienced DPOs and counsel from around the world to clarify and shed light on the GDPR provisions and recent Article 29 Working Party guidelines relevant to the DPO role. This first part of our two-part series on the topic examines when appointing a DPO is mandatory, how to select a DPO, and the requisite skillsets and responsibilities of the role, including the difference between the DPO and other privacy compliance roles. Part two will discuss how the DPO best fits in the corporate structure, how to manage the budget for this role and steps companies can proactively take to ensure they are prepared to comply with the GDPR’s DPO requirements. See also “Navigating the Early Months of Privacy Shield Certification Amidst Uncertainty” (Nov. 2, 2016).

    Read Full Article …
  • From Vol. 3 No.1 (Jan. 11, 2017)

    How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part Two of Two)

    Cybersecurity risk management requires having the right leadership and governance in place, and within that structure lies the shifting role of the chief information security officer and its reporting lines. With input from CISOs, executive search experts and attorneys this article series provides insight into the most effective approaches to recruiting, compensating and structuring cybersecurity leadership roles. This second article in the series explains the problems with the current dominant CISO reporting structure and offers experts’ advice on effective governance as well as alternatives for companies that are not finding or cannot compensate a technical expert with executive-level experience. Part one covered how to find and compensate individuals for the multi-faceted cyber leadership role. “There’s a lot changing in the way people think about the CISO. There is a pretty fast-evolving set of responsibilities and reporting structure, especially given the increasing [attention to] security by the board of directors and others charged with the fiduciary responsibility of protecting a company,” Hertz CISO Peter Nicoletti told The Cybersecurity Law Report. See also our two-part series about the roles of the CISO and CPO, “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two)” (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)

    Managing the challenge of securing a company’s digital information while collaborating with other executive leadership is something that only a select group of individuals can do well. In this article series, The Cybersecurity Law Report spoke to CISOs, executive search experts and attorneys to examine what it takes to fulfill both of these crucial roles. This first article discusses the challenges of merging technology expertise with executive function, compensation expectations for cyber leaders, what companies should be (and are) looking for in candidates and the value of certifications. The second article will discuss the changing role of the CISO, including why many current reporting structures are not working, and what companies can do if they do not have the resources for or cannot find the right CISO. “Many organizations regard CISO and technology-risk executive recruitment as an increasingly daunting and complex process, and recognize that one size does not fit all,” Tracy Lenzner, founder and CEO of The Lenzner Group, a global executive search company, said. See “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two),” (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    Advice From Compliance Officers on Getting the C-Suite to Show You the Money for Your Data Privacy Program

    The end of the year is often when companies evaluate their budgets, and it is a crucial time to make sure the CEO is educated about data privacy legislation and its potential repercussions. So, how can privacy officers best advocate for system-wide buy-in and budget support of their data privacy programs? At a recent panel at IAPP’s Practical Privacy Series 2016 conference, compliance leaders from Shire, CBRE and InterSystems discussed their three different operational approaches and practical tactics for making sure the compliance office has the tools and the budget it needs to comply with dynamic global data privacy regulations, including the GDPR. See also “Privacy Leaders Share Key Considerations for Incorporating a Privacy Policy in the Corporate Culture” (Oct. 19, 2016).

    Read Full Article …
  • From Vol. 2 No.16 (Aug. 3, 2016)

    How Cyber Stakeholders Can Speak the Same Language (Part Two of Two)

    The way cybersecurity terminology is used can significantly affect how a cyber event is handled. Differences in the training and background of certain cybersecurity stakeholders, particularly technical and legal teams, however, may lead to inconsistent use of important terms in the context of security breaches and protocols. This second article of a two-part series highlights ten of the most frequently misunderstood cybersecurity terms, and provides insight on their meanings and implications from both legal and security experts. Part one of the series examined how to overcome cybersecurity stakeholder communication challenges and detailed six strategies for better interaction. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); Part Two (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    How Cyber Stakeholders Can Speak the Same Language (Part One of Two)

    In the areas of cybersecurity and data privacy, a company’s attorneys and technical teams must work together closely. The two groups often have different approaches, however, and may not speak the same language when it comes to handling security breaches and protocols. Commonly used terms can be used inconsistently, and their implications misunderstood. In this first article of a two-part series, attorneys and consultants with different perspectives share advice with The Cybersecurity Law Report on the importance of clear communication between key stakeholders. They also examine the different approaches to cybersecurity and detail six strategies for overcoming communication challenges. Part two of the series will explore frequently misunderstood cybersecurity terms and their meanings. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); Part Two (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    Challenges Facing Chief Privacy Officers

    Constantly evolving data privacy laws and heightened cyber threats place a large burden on the shoulders of chief privacy officers (CPOs). At a recent PLI panel, Keith Enright, the legal director of privacy at Google; Lauren Shy, the CPO of Pepsico; and Zoe Strickland, the global CPO at JP Morgan Chase, shared their thoughts on some of the recent challenges facing CPOs, including how to work with different departments, the CPO’s role in incident prevention and response, and the pros and cons of different cross-border data transfer mechanisms. The panel was moderated by Lisa J. Sotto, a partner at Hunton & Williams. See also “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer” Part One (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    Google, CVS and the FBI Share Advice on Interacting With Law Enforcement After a Breach

    Among the many decisions companies must make following a cyber incident are whether, when and how to engage with law enforcement. At the recent FT Cyber Security Summit USA, experts from Google, CVS Health, the FBI and the Center for Strategic and International Studies gave their advice on interacting with the government, and discussed the responsibilities and priorities of the compliance and legal teams in the wake of an attack. See also “Picking up the Pieces After a Cyber Attack and Understanding Sources of Liability” (Apr. 13, 2016).

    Read Full Article …
  • From Vol. 2 No.9 (Apr. 27, 2016)

    A Guide to Developing and Implementing a Successful Cyber Incident Response Plan: From Data Mapping to Evaluation (Part One of Three)

    Many organizations are coming to terms with the troubling fact that they will fall victim to a cyber attack at some point, if they have not already. An effective incident response plan can be one of the best tools to mitigate the impact of an attack – it can limit damage, increase the confidence of external stakeholders and reduce recovery time and costs. The Cybersecurity Law Report spoke with a range of top experts, including consultants, in-house and outside counsel, who answered some of the tougher practical questions that are typically left unanswered in this area. They shared in-depth advice on the subject based on their own challenges and successes. In the first article of this three-part series, we cover what type of incident the plan should address, who should be involved and critical first steps to take in developing the plan, including references to sample plans and practical resources. Parts two and three will examine key components of the plan, implementation, evaluating its efficacy, pitfalls, challenges and costs. See also “Minimizing Breach Damage When the Rubber Hits the Road” (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    A Look Inside the Cybersecurity and Privacy Law Department of a Top Defense Company

    The “bad guys” seeking to hack into systems of defense companies want sensitive information not for commercial success, but to do our nation and our allies harm, and that changes the cybersecurity equation, Raytheon’s John Smith told The Cybersecurity Law Report. In a Q &A, Smith, the vice president, cybersecurity and privacy, and general counsel of the global business services group at Raytheon, discusses how the Raytheon cybersecurity and privacy department is structured, when outside counsel is called in, how Raytheon approaches information sharing, why the new Department of Defense cybersecurity guidance is flawed, and more. See also “How the American Energy Industry Approaches Security and Emphasizes Information Sharing” (Mar. 2, 2016).

    Read Full Article …
  • From Vol. 2 No.2 (Jan. 20, 2016)

    How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)

    “Cybersecurity is an enterprise risk issue that should ultimately rise to the level of the board of directors,” Ivan Fong, senior vice president, legal affairs and general counsel of 3M Company, advised. Understanding the role of the board, and counsel’s role working with the board, is integral for managing cybersecurity risk effectively. Part one of this two-part article series examines the increased role of directors in ensuring companies are appropriately protected against cyber threats and how management, including in-house counsel, should communicate with the board and keep it updated and informed. Part two will address the litigation risks faced by the board and individual directors and how to limit that liability, including details about the role directors should play to satisfy their fiduciary duties. See also “Protecting the Crown Jewels Using People, Processes and Technology” (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 1 No.8 (Jul. 15, 2015)

    The Challenge of Coordinating the Legal and Security Teams in the Current Cyber Landscape (Part Two of Two)

    Legal and security teams each play a crucial role in cybersecurity and data protection, but working together to understand the most pressing threats and shifting regulatory landscape can be challenging.  In this second article of our two-part series covering a recent panel at Practising Law Institute’s Sixteenth Annual Institute on Privacy and Data Security Law, Lisa J. Sotto, managing partner of Hunton & Williams’ New York office and chair of the firm’s global privacy and cybersecurity practice, and Vincent Liu, a security expert and partner at security consulting firm Bishop Fox, give advice on how to prepare for and respond to a cyber incident and how security and legal teams can effectively work together throughout the process.  The first article in this series discussed the current cyber threat landscape and the relevant laws and rules.

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)

    As cybersecurity concerns permeate every industry, it becomes increasingly urgent for lawyers across disciplines to understand the most pressing threats and shifting regulatory landscape; help shape and direct the responses; and be able to effectively communicate and collaborate with technical security efforts.  In this first article in our two-part coverage of a recent panel at PLI’s Sixteenth Annual Institute on Privacy and Data Security Law, Lisa J. Sotto, managing partner of Hunton & Williams’ New York office and chair of the firm’s global privacy and cybersecurity practice, discusses the current cyber threat landscape and the relevant laws and rules.  See “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).  The second part will detail her advice on preparing for and responding to a cyber incident and will include insight from her co-panelist Vincent Liu, a partner at security consulting firm Bishop Fox, on how security and legal teams can effectively work together throughout the process. 

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part Two of Two)

    With the dynamic nature of privacy concerns – caused by changing legal requirements, growing data collections and evolving technology – top privacy officers must manage a shifting realm with proactive communication, effective reporting lines and operational structures to ensure accurate implementation of privacy policies and protocols.  Experts agree that it is optimal to have both a Chief Cybersecurity Officer or Chief Information Security Officer (CISO) and a separate Chief Privacy Officer (CPO).  Some confuse these positions, thinking “that the security person should know all things privacy and the privacy person should know all things security and that is clearly not the case,” Michael Overly, a partner at Foley & Lardner told The Cybersecurity Law Report.  In this two-part article series, we define and distinguish the roles of CPO and CISO.  This article, the second of the series, focuses on the CPO, including core responsibilities, considerations for structuring reporting lines and hiring for the position.  The first article focused on the CISO.

    Read Full Article …
  • From Vol. 1 No.3 (May 6, 2015)

    Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two)

    Growing cybersecurity demands on companies require effective reporting lines and operational structures to manage cybersecurity-related job functions.  Experts agree that it is optimal to have both a Chief Cybersecurity Officer or Chief Information Security Officer (CISO) and a separate Chief Privacy Officer (CPO).  Some companies confuse these positions, thinking “that the security person should know all things privacy and the privacy person should know all things security, and that is clearly not the case,” Michael Overly, a partner at Foley & Lardner told The Cybersecurity Law Report.  In this two-part article series, we define and distinguish the roles of the CPO and CISO.  Part One focuses on the CISO – including core responsibilities, best practices for structuring reporting lines, and considerations when hiring for the position – and Part Two will focus on the CPO. 

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    How Can a Company Mitigate Cyber Risk with Cross-Departmental Decisionmaking?

    A lack of coordination among company units can be detrimental in many business areas, but when it comes to cybersecurity, isolated actions and decisions can pave a clear path to a data breach, and exacerbate the legal ramifications of that breach.  In a guest article, Jennifer Topper of Topper Consulting explains: why cross-functional decisionmaking is so important in cybersecurity; how to make the business case for investing in proactive cyber planning; how to integrate the cybersecurity program; how to create a multidisciplinary group of stakeholders; and the role of the general counsel in information governance.

    Read Full Article …